Use Fragmented IP Packets (-f, -ff)
A fragment is an IP frame that has been split into smaller pieces. This process is normally used to traverse links that can't handle large frame sizes, such as WAN links. During normal operation, this process is invisible to the end user.


When a station fragments data, each fragmented piece of information has its own IP header. All of the fragmented packets are sent across the network and are not (usually) reconstructed until they all arrive at the remote device. Under most circumstances, the remote device rebuilds the original frame from the fragments, but some networks have firewalls, intrusion detection systems, or proxy servers that will rebuild the frame for security testing before sending the fragments (or the rebuilt packet information) to the remote device.


The IP Fragmentation Process
The fragmentation process occurs at the IP layer, so everything underneath the IP header will be fragmented. In this example, the IP header is transporting 24 bytes of TCP data. Since both the 20 byte TCP header and the 24 bytes of TCP data will be fragmented, the total amount of fragmented data will total 44 bytes:

f_nofrag

Due to the number of fragmentation offset bits available in the IP header, the size of the fragments must be a multiple of eight. This example will use a fragment size of 16 bytes.

Once the packet is fragmented, it retains a DLC header and an IP header but the data underneath is now split into smaller pieces. Since the fragment size is 16 bytes and the total amount of data to fragment totals 44 bytes, the fragmentation process will create three frames:

f_frag

Notice that the TCP header (colored yellow) spans two fragments, but the TCP header isn't rebuilt in each frame. Instead, the TCP header and the TCP data are contiguously added to the subsequent fragments. The last fragment of data consists of only 12 bytes, but the final packet doesn't need to completely fill the 16 byte fragment size. The last 12 bytes are simply attached to the last frame of the fragmentation.


How to Fragment IP Data with nmap
Unless one of nmap's fragmentation options is specified, nmap sends non-fragmented frames to remote devices. Nmap's fragmentation option (-f) is a simple method of sending nmap data with the smallest possible fragmentation value of eight bytes.

The –ff fragmentation option will double the fragmentation value to the second-smallest value, or 16 bytes. Nmap doesn't have an –fff option, so 16 bytes is the maximum fragmentation size available from these options.

clock
If additional fragmentation options are required, the --mtu option can be used to create any fragmentation value.

# nmap –sS 192.168.0.1 –f
is the same as
# nmap –sS 192.168.0.1 --mtu 8

and

#nmap –sS 192.168.0.1 –ff
is the same as
# nmap –sS 192.168.0.1 --mtu 16


Using IP Fragmentation
The usefulness of this option is a bit of a toss-up. In nmap, a major goal of fragmenting data is to obfuscate the IP data so that it can traverse the network without any filtering or alteration. However, many firewalls and security devices reconstruct fragmented packets so that security decisions can be associated with the data.

This option must run as a privileged user, and it isn't available on all operating systems or in all circumstances. If an operating system other than Linux or one of the BSD flavors is used (such as Windows XP), this message is displayed:
Warning: Packet fragmentation selected on a host other than Linux, OpenBSD, Free
BSD, or NetBSD.  This may or may not work.
clock
I tested this option on Windows XP Service Pack 2, and the –f and -ff options successfully fragmented the packets.